search

jfitzell / mozilla-keychain

Store your Firefox website usernames and passwords in Apple's Keychain Services, just like Safari and other browsers do on OS X.
55 stars 9 forks source link

When asking to show password, Thunderbird prompts for *all* entries in Keychain #55

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Open Preferences [cmd]+[,] →
2. Go to Security tab
3. Press Saved passwords
4 a. Press Show passwords OR
4 b. Search for one password and press Show passwords

What is the expected output? What do you see instead?
I was surprised after step 3, because the plugin showed every single entry from 
Keychain. I assume this is because of the cross-usage with Firefox. I don't use 
that browser (because of the security problem this plugin is trying to fix), so 
I had expected Thunderbird to only show the password(s) for the active 
account(s). 

To test if it would show them all, I pressed the button.

This lead to a torrent of "always allow, allow, deny"-prompts. I know these 
prompts were created by Keychain, but Thunderbird kept querying for the next 
password. I really wanted a "stop this" option, or perhaps a warning prompt, 
before asking me to authenticate by typing in 238 passwords.

After force quitting Thunderbird, I tried step 4 b to limit the number of 
queries. It did not succeed in limiting it. The plugin still asked for all 238 
authentications, rather than the one. 

What version of the product are you using? On what operating system?
Keychain Services Integration 1.1.5 (16/6 2013) in Thunderbird 17.0.6 on 
OSX.8.4 (12E55)

Please provide any additional information below.
I know there might be a workaround through sorting my keys in multiple 
keychains, but this is rather difficult, as different apps doen't ask where to 
store saved passwords.

Original issue reported on code.google.com by rasmus.m...@gmail.com on 16 Jun 2013 at 8:36

GoogleCodeExporter commented 9 years ago 
Options are somewhat limited because (a) OS X prompts you to authenticate if 
you have not already given permission for the individual keychain entry and (b) 
Mozilla decides when to ask for the passwords (the extension just provides a 
different place for it to look).

In Firefox, I actually ended up removing the button that opens that password 
dialog box and replacing it with a button that launches Keychain Access 
instead. I might be able to figure out how to do the same in Thunderbird but I 
think it wasn't obvious to me when I looked last time...

Another option would be to never return passwords unless you had explicitly 
granted permission to Thunderbird in Keychain Access, but that requires users 
to know an awful lot about how the keychain works and kind of goes against one 
of the benefits of using the Keychain, which is that you can share passwords 
between applications.

I've been doing a little bit of work on the extension over the past few weeks, 
so I can try to take a look at it again in Thunderbird and see if I can come up 
with anything brilliant.

Original comment by jfitz...@gmail.com on 16 Jun 2013 at 11:08

GoogleCodeExporter commented 9 years ago

Original comment by jfitz...@gmail.com on 24 Sep 2013 at 10:06